This week, the FBI has issued a warning: “Cybercriminals exploit ‘safe’ websites in phishing campaigns.” Why? Because the secure hypertext transfer protocol secure, better known simply as HTTPS, has become synonymous with security. And it is, indeed, although certain nuances have to be taken into account.
“The presence of HTTPS and the padlock icon is supposed to indicate that web traffic is encrypted and that visitors can share data securely,” says the note from the main criminal investigation agency of the US Department of Justice.
In fact, that letter means safe and browsers such as Google Chrome show the warning “is not safe” when visiting HTTP sites. It is important to make sure that the sites with which we share information use this protocol, because they indicate an encrypted and secure connection, but that is not all we have to take into account. They do not ensure, for example, that a server is what it claims to be.
HTTPS is not the panacea
However, we all know that HTTPS is not a panacea. And the bad guys on the internet, unfortunately, too. That’s why, as the FBI points out, they use the trust of the users in the protocol and the icon that identifies it.
They do this by increasingly using certificates from secure websites when carrying out phishing campaigns. They use the secure hypertext transfer protocol when sending potential victims email messages that mimic trusted companies or contacts.
The reason is that it is becoming easier to obtain a TLS security certificate that enables the administrator of a website to use the HTTPS protocol normally. It has a low cost and even through certain services can be obtained for free, especially from the momentum that Google gave to this protocol a few years ago through the consideration that they would have both their browser and the Chrome browser. A trend that joined the rest of browsers.
And the cybercriminals have taken advantage of it, as they explain from Naked Security:
“As expected, the criminals realized, which explains the rise of phishing sites that started using HTTPS in their domains around 2017.
That’s the frustrating thing about the FBI’s latest warning: criminals whitening their websites using the HTTPS cover is nothing new. Two years after those first warning signs, the problem has simply gotten worse.
One could argue that confusion is an industry problem because it spent years pushing the idea of the security benefits of HTTPS without properly explaining its limits.
The concern now is that the attackers are moving beyond this gross scheme and are abusing domains backed by legitimate certificates. “
On the part of the users, it only remains not to trust by default on the HTTPS sites or the emails sent from them, to be critical of the information that they may request, to confirm the legitimacy of the requests sent by mail if the data requested is especially sensitive and, as always, be as cautious as possible.